Security Advisories - mediawiki/core

mediawiki/core Security Advisories for 1.34.0 (12)

[HIGH] MediaWiki Denial of Service vulnerability

PKSA-wzph-c8jf-dsw9 CVE-2023-45363 GHSA-w5fx-cx7f-6vr9

Affected version: =1.40.0|>=1.36.0,<1.39.5|<1.35.12

Reported by:
GitHub
[CRITICAL] X-Forwarded-For header allows brute-forcing autoblocked IP addresses

PKSA-sywz-vkhh-67ff CVE-2023-29141 GHSA-5vj8-g3qg-4qh6

Affected version: <1.35.10|>=1.38.0,<1.38.6|>=1.39.0,<1.39.3

Reported by:
GitHub
[MEDIUM] MediaWiki allows a denial of service

PKSA-qcmj-k84v-rjky CVE-2021-41800 GHSA-c8wv-qwwc-6j73

Affected version: <1.36.2

Reported by:
GitHub
[MEDIUM] img_auth.php may leak private extension images into the public cache

PKSA-ddy8-wbbj-hqfh CVE-2020-15005 GHSA-xpv7-93cm-4mxv

Affected version: >=1.34.0,<1.34.2|>=1.32.0,<1.33.4|<1.31.8

Reported by:
GitHub
[MEDIUM] Unescaped message used in HTML within LogEventsList

PKSA-t513-2v8h-wrkx CVE-2020-25815 GHSA-2f58-vf6g-6p8x

Affected version: >=1.34.0,<1.34.3|>=1.34.99,<1.35.0

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Unescaped message used in HTML on Special:Contributions

PKSA-k79b-82mf-pj31 CVE-2020-25812 GHSA-rj9p-8jxj-2ch4

Affected version: >=1.34.0,<1.34.3|>=1.34.99,<1.35.0

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Non-jqueryMsg version of mw.message(…).parse() doesn't escape HTML

PKSA-z45m-sh5c-325v CVE-2020-25828 GHSA-h8qx-mj6v-2934

Affected version: >=1.31.0,<1.31.9|>=1.34.0,<1.34.3|>=1.34.99,<1.35.0

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] mw.message.parse() accepts javascript: protocol in wikilinks

PKSA-2scp-v3wb-xcgz CVE-2020-25814 GHSA-4vr7-m8p8-434h

Affected version: >=1.31.0,<1.31.9|>=1.34.0,<1.34.3|>=1.34.99,<1.35.0

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Special:UserRights exposes the existence of hidden users

PKSA-d4kb-dkjp-1n1j CVE-2020-25813 GHSA-c4rj-wrmq-52rj

Affected version: >=1.31.0,<1.31.9|>=1.34.0,<1.34.3

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] makeCollapsible allows applying event handler to any CSS selector

PKSA-pvds-fsx9-62mq CVE-2020-10960 GHSA-pfm2-mqwj-ggm5

Affected version: >=1.31.0,<1.31.7|>=1.33.0,<1.33.3|>=1.34.0,<1.34.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] User content can redirect the logout button to different URL

PKSA-49h8-xbh2-gnd6 CVE-2020-10959 GHSA-mqhw-wq8p-vf5r

Affected version: >=1.34.0,<1.34.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] TOTP throttle not enforced cross-wiki

PKSA-mshv-sn4g-n4ty CVE-2020-25827 GHSA-rqvj-fc2x-99q6

Affected version: >=1.31.0,<1.31.9|>=1.34.0,<1.34.3

Reported by:
GitHub, FriendsOfPHP/security-advisories

mediawiki/core Security Advisories for 1.34.0 (12)

[HIGH] MediaWiki Denial of Service vulnerability

[CRITICAL] X-Forwarded-For header allows brute-forcing autoblocked IP addresses

[MEDIUM] MediaWiki allows a denial of service

[MEDIUM] img_auth.php may leak private extension images into the public cache

[MEDIUM] Unescaped message used in HTML within LogEventsList

[MEDIUM] Unescaped message used in HTML on Special:Contributions

[MEDIUM] Non-jqueryMsg version of mw.message(…).parse() doesn't escape HTML

[MEDIUM] mw.message.parse() accepts javascript: protocol in wikilinks

[MEDIUM] Special:UserRights exposes the existence of hidden users

[MEDIUM] makeCollapsible allows applying event handler to any CSS selector

[MEDIUM] User content can redirect the logout button to different URL

[HIGH] TOTP throttle not enforced cross-wiki